Summary

The Cloud Router Switch series are highly integrated switches with high performance MIPS CPU and feature-rich packet processor. The CRS switches can be designed into various Ethernet applications including unmanaged switch, Layer 2 managed switch, carrier switch and wireless/wired unified packet processing.

Port Switching

Similarly to other RouterBoards, port switching on CRS allows wire-speed traffic forwarding among a group of ports, like the ports were a regular Ethernet switch. This feature is configurable by setting a "master-port" property to one or more ports in /interface ethernet menu. The "master-port" will be the port through which the RouterOS will communicate to all ports in the group. Interfaces which have the "master-port" specified become isolated - no traffic can be received and no traffic can be sent out directly from RouterOS.

Here is a general diagram of RouterBoard with a five port switch chip:

A packet that is received by one of the ports always passes through the switch logic first. Switch logic decides to which ports the packet should be going to. Passing packet "up" or giving it to RouterOS is also called sending it to switch chip's â€œCPUâ€ port. It means at that point switch forwards the packet to CPU port the packet starts to get processed by RouterOS as incoming packet of the â€œmaster-portâ€. If the packet does not have to go to â€œCPUâ€ port, it is handled entirely by switch logic, does not require any CPU resources and happen at wire-speed.

Additionally, CRS series switches support multiple â€œmaster-portâ€ configurations and have no port selection limitations for a port group which makes possible many various switched port combinations with all CRS switch interfaces. But no port can be in more than one switch group.

Now ether2 is the â€œmaster-portâ€ of the group 1, ether13 â€“ of the group 2 and ether21 â€“ of the group 3.

Note: Previously a link was detected only on interfaces with a physical connection, but now since the ether2, ether13 and ether21 have connection to CPU, the running flag is propagated to them, as well.

CRS Port Switching Example

In essence this configuration is the same as if you had a RouterBoard with 10 Ethernet interfaces and 3 switches:

CRS Port Switching Logic

Note: Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits part of VLAN functionality supported by CRS switch-chip.
For advanced configurations use one master-port within CRS switch chip for all ports, configure VLANs and isolate port groups with port isolation profile configuration.

Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses -
not on VLAN IDs.

Independent VLAN Learning (ivl) - learning/lookup is based on both MAC
addresses and VLAN IDs.

vlan-id (0..4095)

Unicast FDB lookup/learning VLAN id.

Multicast FDB

Sub-menu:/interface ethernet switch
multicast-fdb

CRS125 switch-chip supports up to 1024 entries in MFDB for multicast forwarding.
For each multicast packet, destination MAC or destination IP lookup is performed
in MFDB. MFDB entries are not
automatically learnt and can only be configured.

Shared VLAN Learning (svl) - learning/lookup is based on MAC addresses -
not on VLAN IDs.

Independent VLAN Learning (ivl) - learning/lookup is based on both MAC
addresses and VLAN IDs.

vlan-id (0..4095)

VLAN id of the VLAN member entry.

Egress VLAN Tag

Sub-menu:/interface ethernet switch
egress-vlan-tag

Egress packets can be assigned different VLAN tag format. The VLAN tags can be
removed,
added, or remained as is when the packet is sent to the egress port (destination
port). Each
port has dedicated control on the egress VLAN tag format. The tag formats
include:

The new customer VLAN id which replaces original service VLAN id for
matched packets.

new-service-vid (0..4095; Default:
0)

The new service VLAN id which replaces original service VLAN id for
matched packets.

src-mac-address (MAC address)

Matching source MAC address for MAC based VLAN rule.

1:1 VLAN Switching

Sub-menu:/interface ethernet switch
one2one-vlan-switching

1:1 VLAN switching can be used to replace the regular L2 bridging for matched
packets.
When a packet hits an 1:1 VLAN switching table entry, the destination port
information in
the entry is assigned to the packet. The matched destination information in UFDB
and MFDB
entry no longer applies to the packet.

Property

Description

customer-vid (0..4095; Default:
0)

Matching customer VLAN id for 1:1 VLAN switching.

disabled (yes | no; Default: no)

Enables or disables 1:1 VLAN switching table entry.

dst-port (port)

Destination port for matched 1:1 VLAN switching packets.

service-vid (0..4095; Default: 0)

Matching customer VLAN id for 1:1 VLAN switching.

Port Isolation/Leakage

Sub-menu:/interface ethernet switch
port-isolation

Sub-menu:/interface ethernet switch
port-leakage

The CRS switches support flexible multi-level isolation features, which can be
used for user access control, traffic engineering and advanced security and
network management.
The isolation features provide an organized fabric structure allowing user to
easily program and
control the access by port, MAC address, VLAN, protocol, flow and frame type.
The following isolation and leakage features are supported:

Port-level isolation

MAC-level isolation

VLAN-level isolation

Protocol-level isolation

Flow-level isolation

Free combination of the above

Port-level isolation supports different control schemes on source port and
destination port. Each
entry can be programmed with access control for either source port or
destination port.

When the entry is programmed with source port access control, the entry is

applied to the ingress packets.

When the entry is programmed with destination port access control, the entry

is applied to the egress packets.

Port leakage allows bypassing egress VLAN filtering on the port. Leaky port is
allowed to access
other ports for various applications such as security, network control and
management.
Note: When both isolation and leakage is applied to the same port, the port is
isolated.

Trunking

Sub-menu:/interface ethernet switch
trunk

The Trunking in the Cloud Router Switches provides static link aggregation groups with hardware automatic failover and load balancing. IEEE802.3ad and IEEE802.1ax compatible Link Aggregation Control Protocol is not supported yet. Up to 8 Trunk groups are supported with up to 8 Trunk member ports per Trunk group.

Property

Description

disabled (yes | no; Default: no)

Enables or disables port trunking entry.

member-ports (ports)

Member ports of the Trunk group.

name (string value; Default:
trunkX)

Name of the Trunk group.

Quality of Service

Shaper

Sub-menu:/interface ethernet switch
shaper

Traffic shaping restricts the rate and burst size of the flow which is
transmitted out from the
interface. The shaper is implemented by a token bucket. If the packet exceeds
the maximum rate or
the burst size, which means no enough token for the packet, the packet is stored
to buffer until
there is enough token to transmit it.

Property

Description

burst (integer; Default:
100k)

Maximum data rate which can be transmitted while the burst is
allowed.

disabled (yes | no; Default: no)

Enables or disables traffic shaper entry.

meter-unit (bit | packet; Default:
bit)

Measuring units for traffic shaper rate.

port (port)

Physical port for traffic shaper.

rate (integer; Default:
1M)

Maximum data rate limit.

target (port | queueX | wrr-groupX; Default:
port)

Three levels of shapers are supported on each port (including CPU port):

Port level - Entry applies to port of the switch-chip.

WRR group level - Entry applies to one of the 2 Weighted Round
Robin queue groups (wrr-group0, wrr-group1) on port.

Queue level - Entry applies to one of the 8 queues (queue0 -
queue7) on port.

Ingress Port Policer

Sub-menu:/interface ethernet switch
ingress-port-policer

Property

Description

burst (integer; Default:
100k)

Maximum data rate which can be transmitted while the burst is
allowed.

layer-3 - includes only layer-3 + ethernet padding without layer-2 header and FCS.

meter-unit (bit | packet; Default:
bit)

Measuring units for traffic ingress port policer rate.

new-dei-for-yellow (0..1 | remap; Default:
none)

Remarked DEI for exceeded traffic if yellow-action is remark.

new-dscp-for-yellow (0..63 | remap; Default:
none)

Remarked DSCP for exceeded traffic if yellow-action is remark.

new-pcp-for-yellow (0..7 | remap; Default:
none)

Remarked PCP for exceeded traffic if yellow-action is remark.

packet-types (packet-types; Default:
all types from description)

Matching packet types for which ingress port policer entry is valid.

port (port)

Physical port or trunk for ingress port policer entry.

rate (integer)

Maximum data rate limit.

yellow-action (drop | forward | remark; Default:
drop)

Performed action for exceeded traffic.

QoS Group

Sub-menu:/interface ethernet switch
qos-group

The global QoS group table is used for VLAN-based, Protocol-based and MAC-based
QoS group assignment configuration.

Property

Description

dei (0..1; Default: none)

The new value of DEI for the QoS group.

disabled (yes | no; Default: no)

Enables or disables protocol QoS group entry.

drop-precedence (drop | green | red | yellow;
Default: green)

Drop precedence is internal QoS attribute used for packet enqueuing or
dropping.

dscp (0..63; Default: none)

The new value of DSCP for the QoS group.

name (string value; Default:
groupX)

Name of the QoS group.

pcp (0..7; Default: none)

The new value of PCP for the QoS group.

priority (0..15; Default: 0)

Internal priority is a local significance of priority for classifying
traffics to different egress queues on a port.

DSCP QoS Map

Sub-menu:/interface ethernet switch
dscp-qos-map

The global DSCP to QOS mapping table is used for mapping from DSCP of the packet
to new QoS attributes configured in the table.

Property

Description

dei (0..1)

The new value of DEI for the DSCP to QOS mapping entry.

drop-precedence (drop | green | red | yellow)

The new value of Drop precedence for the DSCP to QOS mapping entry.

pcp (0..7)

The new value of PCP for the DSCP to QOS mapping entry.

priority (0..15)

The new value of internal priority for the DSCP to QOS mapping
entry.

DSCP To DSCP Map

Sub-menu:/interface ethernet switch
dscp-to-dscp

The global DSCP to DSCP mapping table is used for mapping from the packet's
original DSCP to new DSCP value configured in the table.

Property

Description

new-dscp (0..63)

The new value of DSCP for the DSCP to DSCP mapping entry.

Policer QoS Map

Sub-menu:/interface ethernet switch
policer-qos-map

Property

Description

dei-for-red (0..1; Default: 0)

Policer DEI remapping value for red packets.

dei-for-yellow (0..1; Default: 0)

Policer DEI remapping value for yellow packets.

dscp-for-red (0..63; Default: 0)

Policer DSCP remapping value for red packets.

dscp-for-yellow (0..63; Default: 0)

Policer DSCP remapping value for yellow packets.

pcp-for-red (0..7; Default: 0)

Policer PCP remapping value for red packets.

pcp-for-yellow (0..7; Default: 0)

Policer PCP remapping value for yellow packets.

Access Control List (supported on CRS226 series)

Note: Access Control List is supported only on CRS226 series.

Access Control List contains of ingress policy and egress policy engines and allows to configure up to 512 policy rules. It is advanced tool for wire-speed packet filtering, forwarding, shaping and modifying based on Layer2, Layer3 and Layer4 protocol header field conditions.

ACL

Sub-menu:/interface ethernet switch
acl

ACL condition part for MAC related fields of packets.

Property

Description

disabled (yes | no; Default:
no)

Enables or disables ACL entry.

table (egress | ingress; Default:
ingress)

Selects policy table for incoming or outgoing packets.

invert-match (yes | no; Default:
no)

Inverts whole ACL rule matching.

src-ports (ports,trunks)

Matching physical source ports or trunks.

dst-ports (ports,trunks)

Matching physical destination ports or trunks.

mac-src-address (MAC address)

Source MAC address.

mac-dst-address (MAC address)

Destination MAC address.

dst-addr-registered (yes | no)

Defines whether to match packets with registered state - packets which
destination MAC address is in UFDB/MFDB/RFDB. Valid only in egress table.

mac-protocol (802.2 | arp | ip | ipv6 | ipx | length |

mpls-multicast | mpls-unicast | pppoe | pppoe-discovery | rarp |

vlan or integer: 0..65535 decimal format or 0x0000-0xffff hex format)

Ethernet payload type (MAC-level protocol)

802.2

arp - Type 0x0806 - ARP

ip - Type 0x0800 - IPv4

ipv6 - Type 0x86dd - IPv6

ipx - Type 0x8137 - "Internetwork Packet Exchange"

mpls-multicast - Type 0x8848 - MPLS Multicast

mpls-unicast - Type 0x8847 - MPLS Unicast

ppoe - Type 0x8864 - PPPoE Session

ppoe-discovery - Type 0x8863 - PPPoE Discovery

rarp - Type 0x8035 - Reverse ARP

vlan - Type 0x8100 - 802.1Q tagged VLAN

drop-precedence (drop | green | red | yellow)

Matching internal drop precedence. Valid only in egress table.

custom-fields

ACL condition part for VLAN related fields of packets.

Property

Description

lookup-vid (0..4095)

VLAN id used in lookup. It can be changed before reaching egress table.